pam_radius module: How to reject authentication immediately when RADIUS fails?
Alan DeKok
aland at deployingradius.com
Wed Feb 23 13:35:09 UTC 2022
On Feb 23, 2022, at 5:54 AM, Ole Holm Nielsen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I could not find this question as an FAQ or by google searches, so can anyone help?
This is really a question for PAM. I find PAM rather opaque. It's very difficult to understand. And debugging? Debugging doesn't exist.
> Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
IIRC you list pam_auth_radius as "requisite" instead of "sufficient": https://linux.die.net/man/5/pam.d
> Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
See the PAM documentation for how to configure PAM. This is relatively well documented, if difficult to understand.
Alan DeKok.
More information about the Freeradius-Users
mailing list